The heavily marketed fingerprint sensor in Samsung's new Galaxy 5 smartphone has been defeated by whitehat hackers who were able to gain unfettered access to a PayPal account linked to the handset.

The hack, by researchers at Germany's Security Research Labs, is the latest to show the drawbacks of using fingerprints, iris scans, and other physical characteristics to authenticate an owner's identity to a computing device. While advocates promote biometrics as a safer and easier alternative to passwords, that information is leaked every time a person shops, rides a bus, or eats at a restaurant, giving attackers plenty of opportunity to steal and reuse it. This new exploit comes seven months after a separate team of whitehat hackers bypassed Apple's Touch ID fingerprint scanner less than 48 hours after it first became available.

"We expected we'd be able to spoof the S5's Finger Scanner, but I hoped it would at least be a challenge," Ben Schlabs, a researcher at SRLabs, wrote in an e-mail to Ars. "The S5 Finger Scanner feature offers nothing new except—because of the way it is implemented in this Android device—slightly higher risk than that already posed by previous devices."

Schlabs, who was assisted by a whitehat-hacking colleague who goes by the moniker Dexter, said the Samsung bypass was more concerning because, unlike the iPhone, the S5 has no mechanism requiring a password when encountering a large number of incorrect finger swipes. Simply by rebooting the device, he was able to cause the handset to accept an unlimited number of incorrect swipes without requiring users to enter a password. More troubling still, the S5 fingerprint authenticator can be associated with sensitive banking or payment apps such as PayPal. Once Schlabs used a spoof fingerprint to bypass the lock, he was able to gain complete control of the account, including access to money transfers and purchases.

"Perhaps most concerning is that Samsung does not seem to have learned from what others have done less poorly," Schlabs said in a video demonstrating the hack. "Not only is it possible to spoof the fingerprint authentication even after the device has been turned off, but the implementation also allows for seemingly unlimited authentication attempts without ever requiring a password. Incorporation of fingerprint authentication into highly sensitive apps such as PayPal gives a would-be attacker an even greater incentive to learn the simple skill of fingerprint spoofing."

A PayPal spokesman issued a statement that said company officials take the SRLabs findings seriously and that the integration with the fingerprint reader is designed to guard against hacks.

"The scan unlocks a secure cryptographic key that serves as a password replacement for the phone," the statement read in part. "We can simply deactivate the key from a lost or stolen device, and you can create a new one. PayPal also uses sophisticated fraud and risk management tools to try to prevent fraud before it happens. However, in the rare instances that it does, you are covered by our purchase protection policy."

As was the case with last September's Touch ID hack, the attack on Samsung's fingerprint reader used a "wood glue spoof" made from an etched PCB mold. The spoofed fingerprint was crafted by taking a camera-phone photo of an unprocessed latent print smudge left on a smartphone screen. Interestingly, the spoof was left over from work Schlabs did when researching Apple's Touch ID. For reasons he has yet to precisely determine, the spoof doesn't work against an iPhone, but it had no problem unlocking the S5.

Further Reading

The hack using lifted fingerprints is easy; here's how you can make it harder.

Like the researchers who bypassed Touch ID, Schlabs disagreed with critics who claim the hacks are unrealistic in real-world settings or require more skill than many people are capable of. In an e-mail, he explained:

For someone who has medium-resolution pictures of their fingerprints in databases around the world (or even pre-made spoofs lying around the office) like I do, the attack is already very practical. For others, the use of fingerprint authentication on their phones and other devices makes the attack infinitely more likely. The incentive to steal digital fingerprint scans and learn how to mass-produce spoofs grows considerably with every new popular device that is introduced with poorly implemented fingerprint security.

He said Samsung could have done much more to secure its fingerprint reader, including building in a strict password lockout after a few failed swipes attempts. He also said company engineers should have implemented stricter anti-spoofing measures.

Schlabs's other criticism of fingerprint authentication from Samsung, Apple, Motorola, and others is the inability to change the information used to prove a person's identity. Once it leaks, the authentication keys are in the hands of attackers forever. He continued:

Passwords can be changed if they are leaked or stolen, and they can be kept completely secret (even from hostile foreign police that one might be unlucky enough to encounter while traveling, for example), but you can always be physically forced to unlock your devices with your finger. Users should be made aware that the security offered by fingerprints is not as easily measured as it is for passwords. Fingerprints can keep opportunistic snoops out, but do not protect well from targeted authentication fraud.

SRLabs is only one of several groups that is reporting a successful hack of the Samsung phone. This article may be updated with additional details from additional attacks.

I am curious, though... how do high-end biometric sensors (ie: the ones I imaging the .gov using in ultra-secure facilities) safeguard against the old movie trick of simply wrapping a printout of someone's fingerprint around their own finger? Do they require that the finger be at least 95*F and that a pulse is detected?

What if you used a silicone wrapper for your finger? With the advent of 3D printers, this can't really be that far off...

I can certainly understand why the S5 implementation is flawed but maybe someone more knowledgeable than me can explain why this is a realistic real-world threat as Schlabs claims. I mean:

show nested quotes

For someone who has medium-resolution pictures of their fingerprints in databases around the world (or even pre-made spoofs lying around the office) like I do, the attack is already very practical...The incentive to steal digital fingerprint scans and learn how to mass-produce spoofs grows considerably with every new popular device that is introduced with poorly implemented fingerprint security.

That doesn't exactly sound like something Joe S5-Owner needs to worry about. If someone steals my phone with the intent of accessing my personal data, they're not going to have access to my fingerprints unless they somehow managed to take the most incredibly stealthy and precise photo of my hand, no? My fingerprints only appear on one database so unless the thief also has access to that, I'd have thought I'm in the clear (assuming the scanner needs something that at least resembles my actual fingerprint to unlock).

What am I missing?

Well if they steal your phone, I'm sure your finger prints would be all over it. To quote the article

Quote:

The spoofed fingerprint was crafted by taking a camera-phone photo of an unprocessed latent print smudge left on a smartphone screen.

Granted, if you use a finger that never touched your phone or touched it very rarely, then yes it would be harder for someone to find an use it. As it stands though, most people use their index finger and then use that same index finger to touch every spot of the screen.

Myth Busters did an episode a few years ago with finger print readers, from what I remember they defeated them pretty easily also.

I can certainly understand why the S5 implementation is flawed but maybe someone more knowledgeable than me can explain why this is a realistic real-world threat as Schlabs claims. I mean:

show nested quotes

For someone who has medium-resolution pictures of their fingerprints in databases around the world (or even pre-made spoofs lying around the office) like I do, the attack is already very practical...The incentive to steal digital fingerprint scans and learn how to mass-produce spoofs grows considerably with every new popular device that is introduced with poorly implemented fingerprint security.

That doesn't exactly sound like something Joe S5-Owner needs to worry about. If someone steals my phone with the intent of accessing my personal data, they're not going to have access to my fingerprints unless they somehow managed to take the most incredibly stealthy and precise photo of my hand, no? My fingerprints only appear on one database so unless the thief also has access to that, I'd have thought I'm in the clear (assuming the scanner needs something that at least resembles my actual fingerprint to unlock).

What am I missing?

Generally the fingerprint image does not come from a picture of your finger, but a picture of a fingerprint you left on an appropriate surface, good candidates are glossy surfaces that are frequently touched. So glasses, glass doors, or, you know, the screen of your phone. From the article

Quote:

The spoofed fingerprint was crafted by taking a camera-phone photo of an unprocessed latent print smudge left on a smartphone screen.

Chances are good that if someone grabs your phone, your prints are on it. Most people using this will use a thumb or index print, which are the ones most commonly on the screen.

So there's a good chance that just having the phone will have the needed print to use to make the mold.

Like I said in the S5 review-discussion: it's strange how everyone went apeshit with privacy and security-concerns when Apple released the TouchID. even though it's not accessible to third-parties and only thing you can do with it is to unlock the device and make iTunes-purchases for the associated account. But now that Samsung has similar system that is also accessible to third-parties and also safeguards your paypal, everyone is strangely silent when it comes to security and privacy...

The funny thing about using words like "everyone is strangely silent" is its disproven by the existence of the very article you're commenting on.

If "everyone" was really just out to get Apple and ignoring Samsung's mistakes as you're suggesting, this article wouldn't exist.

I did not. Biometrics are just as easy if not in some cases easier to bypass than a regular password. Throw pass code phrases its a bit more secure. How about a random image with a skeletal tracking that you trace certain points on, even better. Nothing is totally secure, even if its 6 ft down in the ground and covered in concrete. All it takes is for one person to be interested in it.

I am curious, though... how do high-end biometric sensors (ie: the ones I imaging the .gov using in ultra-secure facilities) safeguard against the old movie trick of simply wrapping a printout of someone's fingerprint around their own finger? Do they require that the finger be at least 95*F and that a pulse is detected?

What if you used a silicone wrapper for your finger? With the advent of 3D printers, this can't really be that far off...

I find it funny because the built in "Face detection" thingy does limit the number of attempts, and does have a password input after a failed attempt... Why would you not have the same level of trust with a fingerprint?

Really, fingerprint based authentication has some pluses, but if you look at it all things considered it's just not reasonable. Right now, we have databases and lists of passwords floating around on the internet that have been stolen from online services. If fingerprint auth becomes the norm, instead of lists of strings being leaked, the lists will simply be whatever digital representation of fingerprints becomes the standard.

I am curious, though... how do high-end biometric sensors (ie: the ones I imaging the .gov using in ultra-secure facilities) safeguard against the old movie trick of simply wrapping a printout of someone's fingerprint around their own finger? Do they require that the finger be at least 95*F and that a pulse is detected?

What if you used a silicone wrapper for your finger? With the advent of 3D printers, this can't really be that far off...

I find it funny because the built in "Face detection" thingy does limit the number of attempts, and does have a password input after a failed attempt... Why would you not have the same level of trust with a fingerprint?

I believe the fingerprint scanner *does* have a password prompt after a certain number of failed attempts. The problem is that rebooting the phone resets the number of attempts.

It's not unreasonable for a tech giant company to know more than your average DIY tech enthusiast and sell high-end devices that said enthusiast would not be able to defeat.

You would think, but this rarely bears out.

Quote:

To expect -- and more importantly, pay -- for anything less is, on the other hand, a failure of not only the manufacturer but also the market.

I believe that is more a function/personal error of having higher expectations than you should know to have given the trend. I am fairly sure such a device would cost far more than the usual ~$600 USD for a flagship phone.

As I understand it there are two issues; one, defeating the finger print scanner and two, defeating the finger print scanner chip's security via software hacking. Defeating the scanner requires physical access to the phone but how secure is the chip from hacking via software hacking?

Apple may have a big edge when it comes to the chip's security against software hacking.

Does Samsung's chip have a secure enclave to prevent software hacking?

I find it funny because the built in "Face detection" thingy does limit the number of attempts, and does have a password input after a failed attempt... Why would you not have the same level of trust with a fingerprint?

It does say in the article that the "unlimited retries" was achieved by involving a device reboot. Presumably if you fail over and over and over, it will lock. But if you fail n-1 times and reboot, it forgets those failures and gives you a fresh count. That is just my take anyway.

I'm not entirely sure the face detection feature would remember failed attempts after a reboot either.

I can certainly understand why the S5 implementation is flawed but maybe someone more knowledgeable than me can explain why this is a realistic real-world threat as Schlabs claims. I mean:

Quote:

For someone who has medium-resolution pictures of their fingerprints in databases around the world (or even pre-made spoofs lying around the office) like I do, the attack is already very practical...The incentive to steal digital fingerprint scans and learn how to mass-produce spoofs grows considerably with every new popular device that is introduced with poorly implemented fingerprint security.

That doesn't exactly sound like something Joe S5-Owner needs to worry about. If someone steals my phone with the intent of accessing my personal data, they're not going to have access to my fingerprints unless they somehow managed to take the most incredibly stealthy and precise photo of my hand, no? My fingerprints only appear on one database so unless the thief also has access to that, I'd have thought I'm in the clear (assuming the scanner needs something that at least resembles my actual fingerprint to unlock).

Am I the only one who'd be totally cool with getting a small chip implanted in my hand, I guess that'd be the best place, for authentication? It'd be like having an RFID card on you at all times. Also, since it's not biometric, if somehow it's hacked, you could just get a new one.

I'm not sure the practicality, but it seems a bit more convenient (granted, after the implantation) of constantly entering passwords, fumbling with keys in your house or car and any other imagined implementation, and safeguards against getting your biometric data stolen.

I find it funny because the built in "Face detection" thingy does limit the number of attempts, and does have a password input after a failed attempt... Why would you not have the same level of trust with a fingerprint?

I believe the fingerprint scanner *does* have a password prompt after a certain number of failed attempts. The problem is that rebooting the phone resets the number of attempts.

As a point of reference, for the iPhone, you need to enter the PIN/passcode the first time after booting.

As I understand it there are two issues; one, defeating the finger print scanner and two, defeating the finger print scanner chip's security via software hacking. Defeating the scanner requires physical access to the phone but how secure is the chip from hacking via software hacking?

Apple may have a big edge when it comes to the chip's security against software hacking.

Does Samsung's chip have a secure enclave to prevent software hacking?

It's actually a lot more crappy: you can hack it with a medium resolution camera phone, instead of needing a high resolution 2400 dpi scan and it grants access to your financial institution. With Touch ID, the worst someone can do is buy a bunch of stuff from the iTunes store, not drain your bank account.

Like I said in the S5 review-discussion: it's strange how everyone went apeshit with privacy and security-concerns when Apple released the TouchID. even though it's not accessible to third-parties and only thing you can do with it is to unlock the device and make iTunes-purchases for the associated account. But now that Samsung has similar system that is also accessible to third-parties and also safeguards your paypal, everyone is strangely silent when it comes to security and privacy...

I can certainly understand why the S5 implementation is flawed but maybe someone more knowledgeable than me can explain why this is a realistic real-world threat as Schlabs claims. I mean:

Quote:

For someone who has medium-resolution pictures of their fingerprints in databases around the world (or even pre-made spoofs lying around the office) like I do, the attack is already very practical...The incentive to steal digital fingerprint scans and learn how to mass-produce spoofs grows considerably with every new popular device that is introduced with poorly implemented fingerprint security.

That doesn't exactly sound like something Joe S5-Owner needs to worry about. If someone steals my phone with the intent of accessing my personal data, they're not going to have access to my fingerprints unless they somehow managed to take the most incredibly stealthy and precise photo of my hand, no? My fingerprints only appear on one database so unless the thief also has access to that, I'd have thought I'm in the clear (assuming the scanner needs something that at least resembles my actual fingerprint to unlock).

What am I missing?

Well if they steal your phone, I'm sure your finger prints would be all over it. To quote the article

Quote:

The spoofed fingerprint was crafted by taking a camera-phone photo of an unprocessed latent print smudge left on a smartphone screen.

Granted, if you use a finger that never touched your phone or touched it very rarely, then yes it would be harder for someone to find an use it. As it stands though, most people use their index finger and then use that same index finger to touch every spot of the screen.

Myth Busters did an episode a few years ago with finger print readers, from what I remember they defeated them pretty easily also.

I can certainly understand why the S5 implementation is flawed but maybe someone more knowledgeable than me can explain why this is a realistic real-world threat as Schlabs claims. I mean:

Quote:

For someone who has medium-resolution pictures of their fingerprints in databases around the world (or even pre-made spoofs lying around the office) like I do, the attack is already very practical...The incentive to steal digital fingerprint scans and learn how to mass-produce spoofs grows considerably with every new popular device that is introduced with poorly implemented fingerprint security.

That doesn't exactly sound like something Joe S5-Owner needs to worry about. If someone steals my phone with the intent of accessing my personal data, they're not going to have access to my fingerprints unless they somehow managed to take the most incredibly stealthy and precise photo of my hand, no? My fingerprints only appear on one database so unless the thief also has access to that, I'd have thought I'm in the clear (assuming the scanner needs something that at least resembles my actual fingerprint to unlock).

What am I missing?

Generally the fingerprint image does not come from a picture of your finger, but a picture of a fingerprint you left on an appropriate surface, good candidates are glossy surfaces that are frequently touched. So glasses, glass doors, or, you know, the screen of your phone. From the article

Quote:

The spoofed fingerprint was crafted by taking a camera-phone photo of an unprocessed latent print smudge left on a smartphone screen.

Chances are good that if someone grabs your phone, your prints are on it. Most people using this will use a thumb or index print, which are the ones most commonly on the screen.

So there's a good chance that just having the phone will have the needed print to use to make the mold.

I can certainly understand why the S5 implementation is flawed but maybe someone more knowledgeable than me can explain why this is a realistic real-world threat as Schlabs claims. I mean:

Quote:

For someone who has medium-resolution pictures of their fingerprints in databases around the world (or even pre-made spoofs lying around the office) like I do, the attack is already very practical...The incentive to steal digital fingerprint scans and learn how to mass-produce spoofs grows considerably with every new popular device that is introduced with poorly implemented fingerprint security.

That doesn't exactly sound like something Joe S5-Owner needs to worry about. If someone steals my phone with the intent of accessing my personal data, they're not going to have access to my fingerprints unless they somehow managed to take the most incredibly stealthy and precise photo of my hand, no? My fingerprints only appear on one database so unless the thief also has access to that, I'd have thought I'm in the clear (assuming the scanner needs something that at least resembles my actual fingerprint to unlock).

Like I said in the S5 review-discussion: it's strange how everyone went apeshit with privacy and security-concerns when Apple released the TouchID. even though it's not accessible to third-parties and only thing you can do with it is to unlock the device and make iTunes-purchases for the associated account. But now that Samsung has similar system that is also accessible to third-parties and also safeguards your paypal, everyone is strangely silent when it comes to security and privacy...

Isn't the goal ultimately with iBeacon, Isis, or NFC that our phones become pay terminals? I believe the latter is already popular overseas and people don't seem to have a problem with security.

It's not unreasonable for a tech giant company to know more than your average DIY tech enthusiast and sell high-end devices that said enthusiast would not be able to defeat.

You would think, but this rarely bears out.

Quote:

To expect -- and more importantly, pay -- for anything less is, on the other hand, a failure of not only the manufacturer but also the market.

I believe that is more a function/personal error of having higher expectations than you should know to have given the trend. I am fairly sure such a device would cost far more than the usual ~$600 USD for a flagship phone.

Once the attitude of "that's all we can expect" takes hold, then that's all you're going to get. Put yourself in the manufacturers' shoes: if you don't demand more for your money, why would they bother giving you it?

Outrage, not complacency, is the correct consumer response if you're interested in better products. Of course, you could work for a manufacturer, in which case your comment would make perfect sense.

I find it funny because the built in "Face detection" thingy does limit the number of attempts, and does have a password input after a failed attempt... Why would you not have the same level of trust with a fingerprint?

Samsung's application design standards forbid consistency between applications. Every team is required to roll as much of their own as possible, it keeps them strong and nimble.

Like I said in the S5 review-discussion: it's strange how everyone went apeshit with privacy and security-concerns when Apple released the TouchID. even though it's not accessible to third-parties and only thing you can do with it is to unlock the device and make iTunes-purchases for the associated account. But now that Samsung has similar system that is also accessible to third-parties and also safeguards your paypal, everyone is strangely silent when it comes to security and privacy...

The funny thing about using words like "everyone is strangely silent" is its disproven by the existence of the very article you're commenting on.

If "everyone" was really just out to get Apple and ignoring Samsung's mistakes as you're suggesting, this article wouldn't exist.

Like I said in the S5 review-discussion: it's strange how everyone went apeshit with privacy and security-concerns when Apple released the TouchID. even though it's not accessible to third-parties and only thing you can do with it is to unlock the device and make iTunes-purchases for the associated account. But now that Samsung has similar system that is also accessible to third-parties and also safeguards your paypal, everyone is strangely silent when it comes to security and privacy...

It's all been said before.

My personal reaction when I saw that the S5 had a fingerprint scanner was, "Huh, that'll have the same problems Apple's did. Whatever."

Looks like it's even worse than Apple's implementation, or as the guy quoted said they didn't do it "less poorly" like they should have, instead did it more poorly.

Like I said in the S5 review-discussion: it's strange how everyone went apeshit with privacy and security-concerns when Apple released the TouchID. even though it's not accessible to third-parties and only thing you can do with it is to unlock the device and make iTunes-purchases for the associated account. But now that Samsung has similar system that is also accessible to third-parties and also safeguards your paypal, everyone is strangely silent when it comes to security and privacy...

The funny thing about using words like "everyone is strangely silent" is its disproven by the existence of the very article you're commenting on.

If "everyone" was really just out to get Apple and ignoring Samsung's mistakes as you're suggesting, this article wouldn't exist.

There was a red-alrert shit-storm across the web when Apple introduced it.

I'd like to point out that Samsung's scanner also (purportedly) doesn't let you use different angles of your finger for the print. At the very least with Apple's implementation, you could use the side of your pinky or ring finger to unlock it and be slightly less prone to fingerprint hacks, for whatever that's worth.